From 83fb2d5ae3b2a17f76cbaa33629a5744e7b379a1 Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Wed, 1 Apr 2026 15:53:35 -0400
Subject: [PATCH 1/7] test: claude code reviewer

---
 .github/workflows/claude-code-review.yml | 52 ++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 .github/workflows/claude-code-review.yml

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
new file mode 100644
index 000000000..362323136
--- /dev/null
+++ b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,52 @@
+name: Claude Code Review
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+
+concurrency:
+  group: claude-review-${{github.event.pull_request.number || github.run_id}}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    name: Review PR
+    # Skip fork PRs because org secrets and internal runner access are unavailable.
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
+    runs-on:
+      group: claude-code-reviewer
+    steps:
+      - name: Harden the runner (Block unauthorized outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            bun.sh:443
+            github.com:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
+            ${{ vars.LLM_GATEWAY_HOSTNAME }}:443
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        uses: anthropics/claude-code-action@1b8ee3b94104046d71fde52ec3557651ad8c0d71 # v1.0.29
+        env:
+          ANTHROPIC_BASE_URL: https://${{ vars.LLM_GATEWAY_HOSTNAME }}
+        with:
+          anthropic_api_key: ${{ secrets.LLM_GATEWAY_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          track_progress: false
+          prompt: |
+            Review this pull request for correctness, regressions, security, and maintainability.
+            Focus on actionable findings. Do not add style-only feedback covered by linters/formatters.

From 954d02b67f7260e4f49ab7b4caebb0df830fdd76 Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Wed, 1 Apr 2026 15:59:05 -0400
Subject: [PATCH 2/7] Update action

---
 .github/workflows/claude-code-review.yml | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 362323136..56e7b11c4 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -2,6 +2,11 @@ name: Claude Code Review
 
 on:
   workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to review when running manually
+        required: true
+        type: string
   pull_request:
     types: [opened, synchronize, ready_for_review, reopened]
 
@@ -43,10 +48,24 @@ jobs:
         uses: anthropics/claude-code-action@1b8ee3b94104046d71fde52ec3557651ad8c0d71 # v1.0.29
         env:
           ANTHROPIC_BASE_URL: https://${{ vars.LLM_GATEWAY_HOSTNAME }}
+          TARGET_PR: ${{ inputs.pr_number || github.event.pull_request.number }}
         with:
           anthropic_api_key: ${{ secrets.LLM_GATEWAY_API_KEY }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           track_progress: false
           prompt: |
-            Review this pull request for correctness, regressions, security, and maintainability.
-            Focus on actionable findings. Do not add style-only feedback covered by linters/formatters.
+            Review pull request #${{ env.TARGET_PR }} in this repository for correctness, regressions,
+            security, and maintainability.
+
+            Use gh to gather context:
+            - gh pr view ${{ env.TARGET_PR }}
+            - gh pr diff ${{ env.TARGET_PR }}
+
+            Post comments only for actionable findings:
+            - Inline comments for specific issues
+            - A single top-level summary comment with key findings and risks
+
+            Avoid style-only feedback covered by linters/formatters.
+          claude_args: |
+            --model claude-opus-4-6-default
+            --allowedTools "Bash(gh pr view ${{ env.TARGET_PR }}:*),Bash(gh pr diff ${{ env.TARGET_PR }}:*),Bash(gh pr comment ${{ env.TARGET_PR }} --body:*),mcp__github_inline_comment__create_inline_comment"

From ea013caf006568fa3f551061a2ec55121f1a4843 Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Wed, 1 Apr 2026 16:40:58 -0400
Subject: [PATCH 3/7] Update claude-code-review.yml

---
 .github/workflows/claude-code-review.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 56e7b11c4..a07d917bd 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,8 +23,7 @@ jobs:
     name: Review PR
     # Skip fork PRs because org secrets and internal runner access are unavailable.
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on:
-      group: claude-code-reviewer
+    runs-on: [self-hosted, claude-code-reviewer]
     steps:
       - name: Harden the runner (Block unauthorized outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0

From 49d8f69f23afedd58fae0f6e1225047039a18151 Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Wed, 1 Apr 2026 16:47:02 -0400
Subject: [PATCH 4/7] Drop self hosted

---
 .github/workflows/claude-code-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index a07d917bd..23110f729 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,7 +23,7 @@ jobs:
     name: Review PR
     # Skip fork PRs because org secrets and internal runner access are unavailable.
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: [self-hosted, claude-code-reviewer]
+    runs-on: [claude-code-reviewer]
     steps:
       - name: Harden the runner (Block unauthorized outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0

From e47c6c2e6c0a8a8690faa1649a18d7ea3a44f37d Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Wed, 1 Apr 2026 18:33:35 -0400
Subject: [PATCH 5/7] Update code review workflow

---
 .github/workflows/claude-code-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 23110f729..d1f5004ca 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,7 +23,7 @@ jobs:
     name: Review PR
     # Skip fork PRs because org secrets and internal runner access are unavailable.
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: [claude-code-reviewer]
+    runs-on: claude-code-reviewer
     steps:
       - name: Harden the runner (Block unauthorized outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0

From cbd5a825f28438541208a06ff3fb93ce5d6c584e Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Thu, 2 Apr 2026 08:36:22 -0400
Subject: [PATCH 6/7] Update workflow

---
 .github/workflows/claude-code-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index d1f5004ca..ff7999672 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,7 +23,7 @@ jobs:
     name: Review PR
     # Skip fork PRs because org secrets and internal runner access are unavailable.
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: claude-code-reviewer
+    runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Block unauthorized outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0

From c4a29869872e98ef3e1cc74492e417311e5afe8f Mon Sep 17 00:00:00 2001
From: Hunter Copp <huntercolecopp@gmail.com>
Date: Thu, 2 Apr 2026 10:39:02 -0400
Subject: [PATCH 7/7] Use claude code reviewer

---
 .github/workflows/claude-code-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index ff7999672..d1f5004ca 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,7 +23,7 @@ jobs:
     name: Review PR
     # Skip fork PRs because org secrets and internal runner access are unavailable.
     if: github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-latest
+    runs-on: claude-code-reviewer
     steps:
       - name: Harden the runner (Block unauthorized outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0